WhatsApp encryption debate escalates

WhatsApp’s claim that messages are encrypted by default is under new attack, after a dismissed whistleblower suit and fresh public accusations from Telegram founder Pavel Durov. (nytimes.com) (t.me) End-to-end encryption means only the sender and recipient can read a message while it is in transit; WhatsApp says calls, messages, photos, videos, documents and files are protected that way, including from WhatsApp itself. WhatsApp says more than 2 billion people in over 180 countries use the service. (whatsapp.com 1) (whatsapp.com 2) The current dispute turns on what is covered by that promise and what is not. Durov wrote on Telegram that WhatsApp’s “encryption” may be “the biggest consumer fraud in history,” arguing that many users still leave chat backups on Apple or Google cloud systems unless they turn on extra protection. (t.me) (faq.whatsapp.com) WhatsApp says those backups can be protected too, but only if users enable end-to-end encrypted backups with a password or 64-digit key. The company has also added chat lock tools and a key-transparency system that lets users verify they are talking to the right person, not an impostor. (faq.whatsapp.com 1) (faq.whatsapp.com 2) (engineering.fb.com) That gap between protected messages and optional backups is where much of the argument now sits. Critics say “encrypted by default” can mislead people if they do not realize cloud backups, device compromise and account takeover can still expose chat histories. (t.me) (forbes.com) The legal fight that sharpened the debate started in September 2025, when former WhatsApp security leader Attaullah Baig sued Meta in federal court in San Francisco. Baig alleged internal security failures, weak access controls and privacy risks that he said could expose user data and lead to more than 100,000 account hacks a day. (documentcloud.org) (axios.com) (cnbc.com) A judge dismissed that whistleblower case in March 2026, and The New York Times reported on April 1, 2026 that the court found too little evidence that Baig was fired for raising those concerns. The dismissal did not amount to a court finding that WhatsApp had built a backdoor into its encryption. (courthousenews.com) (nytimes.com) Separate cases show a different problem: attackers often go around encryption instead of breaking it. In December 2024, a federal judge found NSO Group liable in WhatsApp’s long-running spyware case, and in January 2025 WhatsApp said Paragon Solutions had targeted about 90 users, including journalists and civil-society members. (courtlistener.com) (lawfaremedia.org) (aljazeera.com) Those incidents did not prove WhatsApp could read encrypted chats; they showed that spyware can seize messages from a phone before or after encryption, like photographing a letter after it is opened. That is why security researchers often separate transport security from device security and backup security. (techcrunch.com) (citizenlab.ca) Meta’s position is that WhatsApp remains an end-to-end encrypted service and that it keeps adding protections around the edges where people actually get hacked. The public fight is less about whether encryption exists on WhatsApp’s core messaging system than about whether the company explains the limits of that protection clearly enough. (whatsapp.com 1) (whatsapp.com 2)